[clamav-users] Fwd: Re: Clamav File - Virus detected by Microsoft Defender

[G.W. Haywood]

Hi there,

On Sat, 28 Nov 2020, Alejandro Hernández via clamav-users wrote:

> The 'clamav tmp file' detected by M-Defender was:
> file: C:\Users\Alejandro\AppData\Local\Temp\ClamWinPortableTemp\clamav-04c260ec0d7bc2675378f5ead51c44d0.00001648.clamtmp
>
> Detected: Trojan:Win32/Wacatac.C!ml

Now I think I understand.

It appears that you ran ClamWinPortable, which produced some temporary
files and left them lying around in the filesystem.  ClamAV does use
the filesystem for temporary storage, so that isn't very surprising.

Windows Defender then found something in one of these temporary files.

It's possible that this is a 'false positive'.  False positives are
not uncommon.  Or it might be that ClamWin really did find something
nasty, and left some evidence in its temporary directory.  I know very
little about how ClamWin behaves.

But one of the tricks that malware authors get up to is disguising the
files that they create in your filesystem as something else.  So if it
seems likely that the temporary file really was created by ClamWin (it
should for example have a timestamp at a time when ClamWin was running)
and wasn't created by malware (which I think is unlikely but possible) 
then the simplest thing to do would be to delete it.  If you are going
to remove ClamWin 0.99.4 and install 0.103 the you can probably delete
everything relating to ClamWinPortable anyway.  You might want first
to upload the file to VirusTotal or Jotti's virus scan to see if the
dozen or more other virus scanners they use think it's a problem.

https://virustotal.com/
https://virusscan.jotti.org/

Has the computer ever suffered from malware?

-- 

73,
Ged.